dsjq62428 2016-08-01 04:36
浏览 109

Microsoft Azure AD oauth标识用户所属的用户角色和组(orgunit)

I am doing the oauth2 Azure AD. I am be able to authenticate user and list all the groups for a domain by using using this api reference

https://msdn.microsoft.com/en-us/library/azure/ad/graph/api/api-catalog

I am having the issue which i really need some help on:

1) When a user login i am not be able to identify user’s role. In google only admin/delegate admin have permission to list groups thus we are using this to identify admin. Unfortunately for Azure AD normal user also can list groups as well. I want to be able to see if user role is User, User Admin, Password Admin etc enter image description here

2) Need a way to get the group (orgunit) which user belong to. I went through the api link (above) several times but not be able to find something helpful. i did try to set up a local Active Directory where i setup the orgunit and sync over to Azure AD. But consistently i see department is null.

  • 写回答

1条回答 默认 最新

  • dqxafj6830 2016-08-01 09:31
    关注

    1) When a user login i am not be able to identify user’s role. In google only admin/delegate admin have permission to list groups thus we are using this to identify admin. Unfortunately for Azure AD normal user also can list groups as well.

    The Group.Read.All scope require the Administrator Consent. However the administrator could grant the consent for the organization. Then the normal user also could list the groups. Please refer Azure consent framework here

    2) Need a way to get the group (orgunit) which user belong to. I went through the api link (above) several times but not be able to find something helpful

    You can use rest below to get a user's group and directory role memberships

    GET https://graph.windows.net/myorganization/users/{user_id}/$links/memberOf?api-version

    Refer GetUserMemberShips.

    评论

报告相同问题?